1 2 Previous Next 19 Replies Latest reply on Nov 7, 2012 4:16 PM by uzanatta

    How does SSO & EE work?

    quasi

      So I'm having some issues while testing single-sign-on with EEPC 6.2. 

       

      Basically we are seeing some issues where if a user changes his windows AD password, the laptop with EEPC gets out of sync.   Basically the laptop will require the old password to get past the "pre-boot" environment, and then presented with the Windows logon and SSO obviously doesn't work.   When the user enters their new Windows password to login properly, the "pre-boot" password never updates.  Multiple reboots/attempts.

       

      To sum it up:

       

      -SSO works fine until a password change

      -If an AD password change happens on a client other than the laptop, the pre-boot password doesn't get updated.

       

      What I would love to know is how AD passwords get synced with EEPC.   I know EEPC can pull domain users from the laptop, or you can add them manually.  But how do endpoint encrypted devices know to accept updated AD credentials?

       

      If I'm fundamentally misunderstanding something here.... let me know.

       

      Thanks.

        • 1. Re: How does SSO & EE work?

          If you're changing it during a ctrl-alt-del event, then EEPC has a network provider which Windows notifies of the change. It then immediately tries to change the pre-boot password. Then, at some point in the future, an EPO policy update will occur, and that new password will get sent up to EPO for distribution to other machines.

           

          When you do a SSO login, if that fails and you type new Windows credentials, the EEPC credential provider will pick up the change and do the same thing.

           

          Two different systems, network provider for an initiated change, and credential provider for a change during a login.

           

          This is all for Vista+ of course - XP and before uses a network provider and GINA module.

           

          If one or the other does not work, it's usually the fault of third party modules (other peoples cred providers or network providers not working properly), OR the password the user is trying to change to is unacceptable to EEPC, because of content or history rules (try to change to it within the pre-boot itself).

          • 2. Re: How does SSO & EE work?
            quasi

            Thanks, that's very helpful.

             

            I wonder where the breakdown is occuring.  The password change is taking place during a ctrl-alt-delete scenario on a Windows 7 desktop without EEPC. 

             

            It's ALSO being entered at the Windows logon on the laptop, after getting past pre-boot with the old password. 

             

            Content rules have been setup so that only the "Windows Password content" is checked off. 

             

            I can't really think of any third party module that would be interfering here......  can you think of anything that you've seen in the past? 

            • 3. Re: How does SSO & EE work?

              Well, if you change the pwd on a machine without EEPC, EEPC won't get to hear of it until the next SSO login event.

               

              I would

               

              a) try the same password change manually in the pre-boot to see if it gets rejected

              b) look at the credential provider list to make sure there's no third party ones there.

              c) verify that the policy is indeed set to sync the passwords

               

              I expect there's something simple being overlooked.

               

              finally, remember, just logging on with the password in Windows won't cause it to sync - it has to be part of a failed SSO attempt by EEPC before EEPC knows something's amiss. This sometimes causes problems because Windows will merrily accept the old password for some time until it gets notified by AD of a change. I've seen it work perfectly for days if not longer.

              1 of 1 people found this helpful
              • 4. Re: How does SSO & EE work?
                quasi

                When you say the credential provider list, are you referring to the list that can be seen in the windows registry?  Or is there a spot in EEPC where you can see the provider list?   Just an fyi we've also disabled changing passwords at pre-boot to avoid getting pre-boot passwords out of sync with AD.

                • 5. Re: How does SSO & EE work?

                  As you say, the one in the registry.

                  • 6. Re: How does SSO & EE work?
                    quasi

                    -Ahh, so we have at least one 3rd party provider listed, which is used to push patches and system management.  Dell's KACE system.

                    -Checked that SSO is enabled and sync is enabled.

                    -"Must match username" is enabled - is this part of the problem?   See below.

                     

                     

                    We have at least one system where both the previous password AND the current AD password are no longer working in pre-boot.  (my own laptop)  Probably just need to manually recover and reset the password at this point.

                     

                    Is there a log file I can look at on the client side to see what credentials pre-boot is expecting....?    The nice thing is that I can still get into the box because another pre-boot authorized user's password is still working, but doesn't log all the way into windows.

                     

                    It's like this:

                     

                    1)  UserA cannot get past Pre-Boot.  Neither old nor new password works.

                    2)  UserB can still get past pre-boot, but when Windows comes up it is showing UserA's windows login prompt.   When I login here with UserA's windows AD account, it logs in fine but doesn't sync.  

                    • 7. Re: How does SSO & EE work?

                      Yes, if you have the name matching on, it won't sync passwords from dissimilar user names.

                       

                      This stops a general user from accidentally getting an admin SSO.

                      • 8. Re: How does SSO & EE work?
                        quasi

                        Any thoughts on this scenario:

                         

                        We have at least one system where both the previous password AND current AD password are no longer working in pre-boot.  (my own laptop)  Probably just need to manually recover and reset the password at this point.

                         

                        Is there a log file I can look at on the client side to see what credentials pre-boot is expecting....?    The nice thing is that I can still get into the box because another pre-boot authorized user's password is still working, but doesn't log all the way into windows.

                         

                        It's like this:

                         

                        UserA & UserB both authorized in preboot as valid. 

                         

                        1)  UserA cannot get past Pre-Boot.  Neither old nor new password works.

                        2)  UserB can still get past pre-boot, but when Windows comes up it is showing UserA's windows login prompt.   When I login here with UserA's windows AD account, it logs in fine but doesn't sync. 

                        • 9. Re: How does SSO & EE work?

                          try 12345 ?

                           

                          No, there's no log file which will tell you the password - that would be a huge security bluder. You could look at the user audit and see when it was changed last I guess though?

                           

                          Remember, it won't sync dissimilar user name credentials with the policy option set - My advice is to leave it that way as it causes huge confusion when EEPC SSO's in with someone else's user name.

                          1 2 Previous Next